Managed XDR

test-dfc-exe.eml — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
test-dfc-exe.eml
Тип файла
HTML document, ASCII text, with CRLF, LF line terminators
Размер файла
1.3 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
4d78a5cb1039266b6356ffa3a68e1a4225fc9fb9
SHA256
f13e7a1c945c569f7b3dff81ce8937c7ae201a6fec112cd999a87f87bfb82862
MD5
96b782faa591da1b80f7c639fff709a8

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1059 autoit: AutoIt script execution detected
T1059.001 suspicious_process: Spawns a suspicious process
T1059 autoit_suspicious_script: Autoit contains suspicious script
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

creates_exe: Creates executable files in the file system
dead_host: Connects to IP addresses that do not respond to requests
no_graphical_activity: No graphic activity
yara_rules: Static rules